GENERAL ORDERS LINCOLN POLICE DEPARTMENT
SUBJECT: CJIS/NCIC PROCEDURES
TITLE: FBI CJIS SECURITY POLICY CHECKLIST
EFFECTIVE DATE: JUNE 1, 2025
REVISION DATE:
ACCREDITATION: ALABAMA ASSOCIATION OF CHIEFS OF POLICE (AACOP)
APPROVAL: CHIEF SCOTT BONNER
Embedded Files
FBI CJIS SECURITY POLICY (v5.6) REQUIRED POLICIES / PROCEDURES CHECKLIST
1207.1 CHECKLIST
Section 1.3: Relationship to Local Security Policy and Other Policies
"The agency shall develop, disseminate, and maintain formal, documented procedures to facilitate the implementation of the CJIS Security Policy, and, where applicable, the local security policy."
Section 4.3: Personally Identifiable Information (PII)
"Agencies shall develop policies based on state and local privacy rules, to ensure appropriate controls are applied when handling PII extracted from criminal justice information (CJI)."
Section 5.1.1: Information Exchange
"In these instances, the dissemination of CJI is considered to be secondary dissemination. Law Enforcement and civil agencies shall have a local policy to validate the requestor of CJI as an authorized recipient before disseminating CJI."
Section 5.1.1.1: Information Handling
"Procedures for handling and storage of information shall be established to protect that information from unauthorized disclosure, alteration, or misuse."
Section 5.3: Incident Response
"Agencies shall (i) establish an operational incident handling capability for agency information systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities; (ii) track, document, and report incidents to appropriate agency officials and/ or authorities."
Section 5.5.2.2(1): Access Control
"Agencies shall document the parameters of the operational business needs for multiple concurrent active sessions."
Section 5.5.6: Remote Access
"The agency may permit remote access for privileged functions only for compelling operational needs but shall document the rationale for such access in the security plan for the information system."
Section 5.5.6.1: Personally Owned Information Systems
"A personally owned information system shall not be authorized to access, process, store or transmit CJI unless the agency has established and documented the specific terms and conditions for personally owned information system usage. When personally owned mobile devices (i.e. bring your own device [BYOD]) are authorized, they shall be controlled in accordance with the requirements in Policy Area 13: Mobile Devices."
Section 5.6.2: Authentication Policy and Procedures
"The authentication strategy shall be part of the agency's audit for policy compliance."
Section 5.6.3.2(2): Authenticator Management
"Agencies shall establish administrative procedures for initial authenticator distribution, for lost/ compromised, or damaged authenticators, and for revoking authenticators."
Section 5.8: Media Protection
"Media protection policy and procedures shall be documented and implemented to ensure that access to electronic and physical media in all forms is restricted to authorized individuals."
Procedures shall be defined for securely handling, transporting and storing media.
Section 5.8.3: Digital Media Sanitization and Disposal
"The agency shall maintain written documentation of the steps taken to sanitize or destroy electronic media. Agencies shall ensure the sanitization or destruction is witnessed or carried out by authorized personnel."
Section 5.8.4: Disposal of Physical Media
"Physical media shall be securely disposed of when no longer required, using formal procedures. Agencies shall ensure the disposal or destruction is witnessed or carried out by authorized personnel."
Section 5.9: Physical Protection
"Physical protection policy and procedures shall be documented and implemented to ensure CJI and information system hardware, software, and media are physically protected through access control measures."
Section 5.10.1.2(5): Encryption
"For agencies using public key infrastructure technology, the agency shall develop and implement a certificate policy and certification practice statement for the issuance of public key certificates used in the information system."
Section 5.10.1.4(1): Voice over Internet Protocol
When an agency deploys VoIP within a network that contains unencrypted CJI, the following additional policy/guidance requirement shall be implemented: "Establish usage restrictions and implementation guidance for VoIP technologies."
Section 5.10.4.1: Patch Management
"The agency (or the software developer/vendor in the case of software developed and maintained by a vendor/contractor) shall develop and implement a local policy that ensures prompt installation of newly released security relevant patches, service packs and hot fixes." {needs to include the items listed in subsections 1 – 4}
Section 5.10.4.4(3): Security Alerts and Advisories
The agency shall "document the types of actions to be taken in response to security alerts/ advisories."
Section 5.12.4: Personnel Sanctions
"The agency shall employ a formal sanctions process for personnel failing to comply with established information security policies and procedures.
Section 5.13: Mobile Devices
"Agencies shall: (i) establish usage restrictions and implementation guidance for mobile devices; and (ii) authorize, monitor, and control wireless access to the information system."
Section 5.13.1.1(14): Review of Wi-Fi Logs
"Enable logging (if supported) and review the logs on a recurring basis per local policy. At a minimum logs shall be reviewed monthly." {Need to include a frequency of log review in local policy}
Section 5.13.1.3: Bluetooth
"Organizational security policy shall be used to dictate the use of Bluetooth and its associated devices based on the agency's operational and business processes."
Section 5.13.5: Incident Response
"In addition to the requirements in Section 5.3 Incident Response, agencies shall develop additional or enhanced incident reporting and handling procedures to address mobile device operating scenarios."
1207.2 RULES OF BEHAVIOR ACKNOWLEDGEMENT FORM - SIGNATURE REQUIRED
Rules-of-Behavior-signature required PDF
1207.3 COMPLAINANT OFFENSE/INCIDENT REPORT SIGNATURE SHEET
See attachment: I-O Sample Signature Sheet.pdf
These policies and operating procedures are not designed to cover every possible scenario or situation in society, but rather to define standard operating procedures for members of the Lincoln Police Department. These guidelines are subject to past, present and future judicial review. These guidelines can be amended and or repealed by the Chief of Police as necessary. The policies and procedures herein provided supersede all previous policies and orders.
Page updated
Google Sites
Report abuse